Chris Sanders

SPAM and Phishing are both really big problems for pretty much an organization right now, and it appears to only be getting worse. One of the most common tactics used by spammers is to forge legitimate domain names in the e-mails this send. The goal here is to trick a user in to opening of these messages, or at least to get them through a SPAM filtering service to a users inbox.

The best way to prevent your e-mail domain from being spoofed is through the use of Sender Policy Framework (SPF) Records. This is basically a DNS TXT record that mail servers and spam filtering services access to verify the source of e-mail messages as they arrive.

In order to create a SPF record, start by opening the DNS MMC snap-in. From here, browse to the forward lookup zone for this DNS server, right click in the blank area, choose Other New Records, and select Text (TXT). The typical value for this record (minus the quotes) should be “v=spf1 a mx -all”. What this says is that all mail that is received from an IP address listed that’s listed in the sending domains A or MX records is legitimate. This will suffice for most companies, but in the case that you want to get a little stricter with this, you can use an entry of “v=spf1 a mx ip4:192.168.1.2 -all”. This basically specifies 192.168.1.2 as the only IP address that valid mail can be sent from.

It is considered a good proactive security principle to configure an SPF record for your domain, regardless of whether you are having SPAM/Phishing problems or not.

One of the new features in Windows Server 2008 that is getting the most attention is the introduction of the Read-Only Domain Controller (RODC).

If you manage a network that utilizes more than one domain controller then you are aware of Active Directory’s multimaster replication structure. In this architecture, any change made to active directory on any domain controller is replicated to all of the others. This has made administration a breeze in the past since administrators could make a change at any remote site and it be reflected on all of the domain controllers in the network.

The problem here arises with the threat of a security breach. Managing network and physical security at remote office location has always been a challenge. If an intruder with malicious intentions gained access to an organizations domain controller at a branch office, he/she could easily destroy the whole active directory infrastructure throughout the ENTIRE organization.

Microsoft has addressed this issue with the development of an RODC. An RODC is designed for branch offices where the network conditions require a local source of authentication but a lack of physical security monitoring and localized administration makes placing a domain controller a security risk. The RODC only allows for one way replication. That means active directory information can be replicated to it from another domain controller, but it may not replicate information to any other domain controllers.

With an RODC deployed at a branch office, an individual with malicious intentions can not make modifications to the active directory infrastructure, therefor alleviating the security risks we have mentioned.

You can deploy an RODC by simply choosing the appropriate option when running the dcpromo utility during domain controller promotion.

Getting blacklisted is pretty much the worst thing that can happen as far as users are concerned. The typical result of your IP address getting blacklisted is that you can no longer send to anybody who subscribes to a spam filtering service. These services use databases such as the CBL to check whether or not an IP address is sending illegitimate e-mail.

Here are a couple of things you can do to prevent getting blacklisted:

1. Use virus protection on your server. I’d say 95% of the time when someone gets blacklisted it is because the e-mail server or a client within the network is sending out spam messages due to a compromise.
2. Block port 25 access from all machines except your e-mail server. By making this change in a firewall or router ACL, you can ensure that nobody is communicating through SMTP except your e-mail server.
3. Subscribe to a SPAM filtering service. Obviously, the less SPAM you receive means the less SPAM your users will be subject to. Even clicking on a link from one SPAM message can get a computer infected as part of a botnet that will cause you to get blacklisted. I personally recommend Appriver.
4. Filter inbound allowed servers. If you are using a SPAM filtering service that also queues inbound e-mail, make sure that your e-mail server is set to only receive incoming mail from the remote filtering servers.
5. Make sure that your e-mail server presents itself as valid. A lot of the time remote systems will perform checks on your server to make sure it is valid. The best way to make sure these checks come back to the remote system as they would like to see them is to set a masquerade domain to your domain name (i.e. domain.com) and make sure your ISP has your reverse DNS entry set correctly. You can work with them to make sure it is set to what it is supposed to be.
6. Make sure you are not set as an open relay. If you are, then anybody can relay mail through your server and cause you to get blacklisted. You can test this here.

Doing all of these things SHOULD keep you from getting blacklisted. If you do by chance happen to still get blacklisted then you should work with the organization that blacklisted you to get to the bottom of this. I have personally worked with the CBL on blacklisting issues several times and they have some pretty dedicated people who will help you.

If your organization does any type of business over e-mail, then you need to be saving every single e-mail sent and received from your e-mail system. Period. End of story. No way around it.

This need for this was something I had always been aware of, but wasn’t something I completed acknowledged until an IT strategy meeting with a local client. That client asked a pretty simple question; “If I am involved in some form of litigation and I have to show proof that an e-mail was sent at a certian time with specific content, and that this e-mail has not been tampered with, how am I going to make this happen?”

Unfortunately, this isn’t just one of those things that are nice to have….it’s required. Thanks to the Sarbanes-Oxley Act of 2002, public companies must prove:

“their internal controls and audit trails are sound and that their processes are capable of producing certifiably correct data. Companies must retain all correspondence created, sent, or received “in connection with an audit or review” of a public company for a period of seven years, during which time these records must be non-erasable and non-rewritable.This includes any “electronic records” such as email, particularly relating to subjects, departments or individuals involved in auditing procedures. Failure to comply is a crime, punishable by up to 10 years in jail.”

So what type of system can be implemented in order to make this happen? Well luckily, there is a whole section of the IT industry devoted to this. Some of the more popular products that achieve this goal include:

• GFI MailArchiver
• Barracuda Message Archiver
• EMC EmailExtender
• Symantec Enterprise Vault

Any of these products and several more not listed can help you to implement a secure compliant method of archiving e-mail messages. These solutions aren’t exactly cheap, but the return on investment will come quickly when being able to reproduce an e-mail saves your company from a multi-million dollar lawsuit.

Microsoft Exchange is the most popular e-mail server application on the market. Unfortunately, when implementing an Exchange server, security is often overlooked. There are a lot of considerations when thinking about Exchange Security. One of the best places to start is by running the Baseline Security Analyzer. You can download it here: http://www.microsoft.com/technet/security/tools/mbsahome.mspx. A few other quick tips include running the Exchange Best Practices analyzer (link), requiring SSL connections for Outlook Web Access (link), using Kerberos authentication rather than the NTLM (link),

Most people have heard horror stories about employees who are fired and then proceed to go on a violent rampages through an office as they exit. It is for this reason that most organizations have policies in place that require terminated employees to be escorted of the building by a security officer or member of upper level administration.

This same policy can be applied to network administration. I have heard countless tales of network uses whose last act before leaving the building after being fired is to romp across any server they have access to deleting files as they go. In all honesty, if a disgruntled former employee ONLY deletes data then you are getting off easy. How about if the employee has access to business critical informationa nd takes a copy with them when they live to sell off to the highest bidder? What if it is a member of the IT staff who has just been fired and he/she decides to change all of the domain administrative passwords or delete the NTLDR file on the domain controller? Even worse, what if the employee has access to sensitive financial information about employees including account numbers and social security numbers?

What I am getting at here is that every organization needs to have a policy in place for limiting the technical resources of a user after they have been terminated. This includes disabling their user account, changing and departmental or administrative passwords they have access to, disabling corporate e-mail access, and locking down access to their personal workstation. In most cases you won’t want to immediatly delete all of their account information, but disabling it and/or resetting passwords is the perfect option until you get the go-ahead from management to trash it all. This can be done manually by a particular member of IT staff or can be setup in an automated fasion through the use of a script.

When talking about network security it is pretty often that I hear people drop security “buzz-words” in the wrong context. For example, most people tend to think vulnerability, threat, and risk are the same thing when they most definitely aren’t. Here are a few common security terms and what they really means in terms of network security:

Vulnerability – A vulnerability is a weakness in hardware, software, or physical security that can provide a potential attacker a means of gaining unauthorized access to a resource.

Example: A potential buffer underrun in an operating system is a vulnerability in that operating system.

Exploit – A program, process, or technique that takes advantage of a vulnerability.

Example: Cain & Abel is a program commonly used to exploit routers by implementing ARP cache poisoning.

Threat – Any potential danger to a file or network resource.

Example: There is a threat that someone will find a vulnerability in an operating system.

Threat Agent – Any entity that takes advantage of a vulnerability.

Example: A person accessing a network through a perimiter firewall is a threat agent.

Risk – The likelihood that a threat agent will take advantage of a vulnerability and the impact it will have on business operations.

Example: If a perimiter firewall has several ports open then there is a likelihood that a threat agent will take advantage of it, making it a risk.

Exposure – The instance of being exposed to losses from a threat agent. (Example: A vulnerability exposes an organization to losses.)

Example: If complex passwords are not used the the organization is exposed to people guessing users passwords.

Countermeasure – A device, process, or person put in place to mitigate potential risk.

Example: Using BIOS passwords is a good countermeasure for preventing users from accessing and modifying BIOS settings.

How They All Relate

If you read through all of these terms then you can clearly see they are all related in some way. Knowing how these terms are related is just as important knowing the terms themselves.

For example, if a company has anti-virus software but doesn’t keep it updated then that company is now vulnerable to virus attacks. This is a threat that a virus will spread on a network and reduce productivity. The likihood of a virus actually spreading on the network is the risk that it could happen. If a virus actually does spread on this companys network then that virus (acting as a threat agent) has exploited the vulnerability and exposed the company to financial loss due to decreased productivity. This is all caused be the lack of a countermeasure to this vulnerability, which is to update the anti-virus software regularly.

A lot of this can be summed up in the image below which I have so cleverly named the Vulnerability/Exposure Model.

I have just had a full length article published on WindowsDevCenter.com entitled “Secure Wireless Networking with ISA and RADIUS”. It is a pretty nifty little guide on how you can setup enterprise level wireless security well beyond the standard WEP/WPA used in home networks. You can view the article on the front page of WindowsDevCenter.com or directly by clicking here.

Every single service or device on your network has at least one point of failure. That is, any point on a network that when in a failure state can cause a service to no longer function. Thinking small, a PC has several points of a failure…the power supply, the motherboard, the hard drive, each one is a point of failure for that PC. Thinking on a larger scale, a service on a WAN might have dozens of points of failure…the router on either end of the WAN link, an internal switch, a network cable.

The goal is to have as few points of failure as possible for any service. A lot of this is achieved by making sure the layout of your network is conducive to having only a few points of failure. The other primary method of ensuring this is through redundancy. A two-node server cluster will eliminate the point of failure should one server crash. Don’t let that false sense of security trick you though, if you have two redundant servers sitting in the same rack, a spilled cup of coffee and ensure that rack as another failure point

The point of this is that you should always be aware of the points of failure on your network for its mission critical services. This will result in fewer disasters, and quicker disaster recovery should there be one.

If your organization relies on technology to any reasonable extent then the chances are that you have servers responsible for several different services and roles. These roles and services can vary from database, to file, to web, to application services. These services all require some form of network communication and use a port to do so. The more services on a computer, the more ports open on that computer.

Nothing looks more juicy to a possible intruder than a machine sitting somewhere with forty-two different ports open on it. It is basically a big red flag saying “Hey! Exploit Me!” This being the case, service isolation can really deter a possible intrustion attempt. If a hacker sees several boxes each with only one or two ports open then they are a lot less likely to even bother with scanning the machines.

There are several ways you can go about service isolation. One of the most effecient ways is to leverage the use of Microsoft Virtual Server (or VMWare server if that is your cup of tea). Doing this you can still achieve a lot of the goals of server consolidation while maintaining a better security baseline. Even though all of these services are still running on the same physical server, them running on different virtual machines makes it appear as if they are all running on seperate machines to those looking in from the outside.

Would you allow somebody to bring a laptop into your corporate headquarters and plug it directly into an Ethernet port? Then why would you allow someone easy access to your network via its wireless infrastructure? That is exactly what you are doing when you do not invest in the security of your wireless network.

It is so common to talk to a Network Admin and listen to them tout the security of their WEP or WPA enabled wireless network. WEP, WPA, and similar technologies are very easily surpassed by even the most novice of hackers. It is for this reason that I refer to securing a wireless network as “investing” in its security. That is because relying on just the individual wireless access points security is not enough.

If your wireless infrastructure is of any reasonable size then it is a safe bet to say that you should look into spending some extra money in securing it. How do you do this? There are a variety of different ways you can go about implenting server based wireless security. The most common (and secure) is RADIUS based security with the enchancements of certificate based authentication. This ensures thats only the wireless clients listed in a RADIUS database on a physical server and holding a certificate pushed out by group policy will be able to authenticate to the network. If someone wishes to compromise the security of your wireless network then they must also compromise the RADIUS and certificate servers. There are several other ways to secure your wireless network beyond WEP/WPA, and I highly reccomend looking into them.

Remember, you can never destroy all of the paths a hacker can take to compromising a device or service. You can however put plenty of hurdles in the way of those paths ot make the process a lot harder.

The administrator account is perhaps one of the most sacred things there is on your network. I am not talking about the Domain Administrator account however, I am referring to the local administrator account. Obviously the domain administrator account has the most power out of any account in your network, but the fact of that matter is that you shouldn’t be logging in with this account anywhere anyways, and it is something that should be nearly impossible to crack from a hackers standpoint.

The local administrator account is where it all begins. If someone is going to break into your network the first thing they will need is to gain administrative priveleges on a machine. If you can protect this account successfully then you are doing a good job of stopping internal attacks at the front line.

This being the case, how do you protect this account? Obviously, the first thing you will want to do is use a strong password. People should not be logging in to computers with this account so it is okay to make it something insanely long that nobody would really want to type. Be sure to use uppercase letters, lowercase letters, numbers, and even a few symbols when setting these passwords. In larger environments you will also want to make sure that the administrator accounts on all your computers vary by location. It is not too pratical to make a different password for every single computer, however you can make multiple passwords for various departments, locations, subnets, etc. These passwords should be changed frequently, as in monthly. If you want to get really creative you can do some scripting paired with group policy to make this task a lot easier.

One more thing you can do is to to completely disable the administrator account all together. This will make sure nobody is logging into it. However, this isn’t always feasible in some cases. Another solution I have often heard is renaming the administrator account. If you rename your administrator account to something other than “admin” or “root” that adds a completely new step of enumeration an attacker has to go through before beginning to try and compromise a system. A lot of the times you can deter an attacker just by making them jump through some extra hoops along the way.

I got to looking at my calendar and noticed I had scheduled a User and Group permissions audit for today. I try to do these at least once every quarter and I am very glad I do. In an environment where you have multiple people who exercise their ability to assign permissions to various resources you can very quickly get people who aren’t on the same page assigning permissions that they shouldn’t be.

Completing this type of task may seem daunting once you start counting up the various network resources you have (printers, shared storage, etc) but if you get an organized system going it really flies by quickly. I typically make an excel spreadsheet where I have a heading for every network resource and a row for every group or user that has permissions assigned to it. From there I make a columns for the type of access assigned (read, write, modify, etc) and place an “X” in the ones that apply to the user or group.

As an added bonus, if you do your audit via the spreadsheet method I mentioned above, you can easily transfer this to a mobile device such as a laptop or PDA in order to have a quickly accessible reference to resource permissions when you are away from the network.

If you have never done a permissions audit on your network I highly recommend scheduling a few spread out across a year. I can guarantee that you will be surprised at some of the things you find.

Network security has gotten to a point where it can no longer be an afterthought. Every application you implement, every device you install, and every user you create must be done so with the utmost security in mind. In a world where technology is integrated into every facet of our lives we must do everything we can from a technical standpoint to ensure the integrity of the technology we rely on. Waiting for a problem to happen and then responding to it is something that can’t continue to happen if we hope to persist in securing our networks. If we ever hope to achieve a consistent level of network security it must be thought of as a proactive concept rather than a reactive one.

With these thoughts in mind, over the course of the next few weeks I am going to be releasing a series of brief articles here regarding proactive security. These are measures that you can take in order to possibly prevent future security issues on your network. This will cover a broad scope of both technical solutions as well as company policies that you can implement in order to achieve a more proactive state of though in regards to network security.

I have several of these articles already lined up for publishing. As always however, I love to hear of things you are doing on your network that would fit into the category of proactive security. If you have anything you would like to see on this site please send it to me at chris@chrissanders.org. You will be given full credit on the site for your contribution as well as a link back to your website if you have one.

With concerns of internet privacy growing tremendously over the last few years the usage of covert channels of digital communication is on the rise. Embedding hidden data into various other forms of data is by no means a new technology. People have been embedding hidden files into images, music files, and even TCP/IP packets for several years. Through the use of various steganography applications this process is becoming easier and easier for even those who are not technically savvy. One of the most common ways of embedding data covertly is to use what is called the least significant bit (LSB) methodology of injecting data into an image.

How Bits Form Images
In order to understand how LSB technology works you must first understand exactly how data bits are used to represent a visual image. As most people know, an image is made up of pixels. Each pixel within an image is assigned a binary value that represents a color; black, white, or any of the 16.7 million possible colors. These binary values that determine a pixels color can be made up of anywhere from 8 to 24 bits depending on the depth of the color. The 16.7 million possible colors refer to the number of colors mathematically possible in a 24-bit image (8 bits by a power of 8 ). An 8-bit image only takes 256 of these 16.7 million colors. The number stored in each bit of an 8-bit image is actually a pointer to one of the colors in our 256-color palette. An 8-bit image tends to be smaller in size but carries less color detail than 24-bit images because of its restrictive color palettes. This is obvious in the math associated with having 8 bits of information that can all be a 1 or a 0. There are 256 different combinations of 1’s and 0’s in an 8-bit image, thus limiting the color palette of the image to 256 colors.
In 24-bit images, unlike 8-bit images, there are actually three sets of 8 bits that define the color for each pixel. Each of the primary colors (red, blue, and green) has 8 bits to itself. If we count all 24 bits, we realize 16.7 million different combinations of 1’s and 0’s are available to define a color. Thus, each pixel can represent one of over 16.7 million different colors. The 24-bit images are called true color for just this reason as they are capable of representing every actual red, green, and blue color value available.

How LSB Works

Least Significant Bit modification works by running software that is capable of determining what specific bits can be altered within a pixel without causing a visible difference. LSB modification takes the 1’s and 0’s from the payload file and inserts those into each pixel, starting at the bit least likely to make a noticeable change to the color of the pixel. Since a 1 or a 0 already exists in that spot, there is only ever a 50% chance that the bit will need to be changed.

Typically a steganography application will start at the least significant bits in each pixel and then move down the line toward the more significant bits as a larger amount of data is inserted into the carrier file. However, the more significant bits will make greater changes in color for the pixel when modified which can sometimes be picked up by the naked eye.

LSB Modification Using S-Tools

There are several freeware applications available for employing LSB modification in images. One of these tools is the Steganography Tools or S-Tools package. This program is free and can be found in multiple locations with a simple Google search. S-Tools has the capability to insert data into both GIF and BMP files. In order to insert data into a carrier file you will need three things:

• The S-Tools application
• A carrier image file
• A secret file to be inserted into the carrier file

To insert data into the carrier file complete the following steps:

1. Open the S-Tools program
2. Click and drag your carrier file into S-Tools
3. Click and drag your secret onto the image as it resides in S-Tools
4. A window will pop up that gives you the option of encrypting the data inserted into the carrier files via various popular encryption algorithms. Select one of these algorithms along with a passphrase and select “OK”



5. The next window will present several other options that are beyond the scope of this article. If you wish to learn more about this you can view the S-Tools help file. For now, we will simply click “OK”
6. S-Tools will then encrypt and insert your hidden data into the carrier file and bring it up on screen. You can then right-click the image, select “Save As”, and then save the image to a location of your choice.

To pull hidden data from a carrier file:

1. Open the S-Tools program
2. Click and drag your carrier file into S-Tools
3. Right click the image and select “Decrypt”
4. Select the appropriate encryption algorithm and type the correct passphrase and click “OK”
5. S-Tools will then pull that data from the carrier file and open the a window displaying the extracted file. Right-click the filename and select “Save as” in order to select a location to save the newly uncovered file.

Conclusion

It is very easy to see how least significant bit modification can provide a perfect means of covert communication. This along with the various other forms of steganography can prove to be very effective in hiding sensitive data. One of the other very effective methods of hiding data involves fragmenting data directly into TCP packet headers. Look for an article on this in due time. Also be sure to look for my follow-up to this article regarding how to detect hidden steganography in image files.